Trust model for CloudBees Core on modern cloud platforms

In the CloudBees Core on modern cloud platforms trust model, Managed Master administrators are trusted, but build agents are not trusted.

Note: This information applies to CloudBees Core on modern cloud platforms 2.222.1.1 and later.

Managed Masters can only manage build agents in another namespace so that they can’t affect the runtime of other masters, but they can interfere with builds started by other masters. Build agents can be scheduled only with service accounts that are defined in the other namespace.

If you install the Helm chart with the value Agents.SeparateNamespace.Enabled=true, you can have:

  • One namespace with Operations Center and Managed Masters

  • One namespace with all build agents

CloudBees recommends the following additional security considerations:

  • Enable Pod Security Policies on the cluster. It limits container privileges to avoid compromising the host they are running on.

  • Deny team members from having administrative rights to their Managed Masters. This enables Managed Masters to be used as a security boundary between teams.

  • Enable Network Policies. It controls network access between pods and namespaces to limit interactions to legal interactions.

  • Run any build agents that require Kubernetes privileges in a separate namespace.

  • Run any build agents that require container privileges in a separate node pool.